Carryroo
Login

Privacy policy for Carryroo

Contents
1. Controller2. General information3. Categories of personal data4. Purposes of processing5. Legal bases for processing6. Disclosure of data to other users7. Payment providers8. Hosting, technical providers and processors9. Transfers to third countries10. Cookies and similar technologies11. Email, SMS and notifications12. Storage and deletion13. Security14. Minors15. Automated decisions and profiling16. Data subject rights17. Right to object18. Withdrawal of consent19. Right to complain to a supervisory authority20. Changes to this privacy policy

1. Controller

The controller responsible for processing personal data in connection with the Carryroo platform is:

EnM Industry GmbHDennewartstraße 2552068 AachenGermany
Email
info@enmindustry.com
Phone
+49 241 9213 5957
Managing Director/CEO
Dr. Amir Kianfar
Commercial register court
Local Court of Aachen
Register number
HRB 23492
VAT ID
DE329957151
Tax number
201/5956/4943

2. General information

Carryroo is a digital matching platform. Registered users can create handoff requests as Senders or publish real trips and accept requests as Couriers.

Carryroo provides digital functions such as registration, login, user profiles, trip publishing, trip search, internal communication, order management, payment processing through external payment providers, status tracking, ratings, support, verification and dispute handling.

Carryroo does not receive, store, transport or deliver documents or items itself.

This privacy policy explains which personal data we process, for which purposes, on which legal basis and which rights data subjects have.

3. Categories of personal data

Depending on how the platform is used, we may process the following categories of data:

  • registration and account data, including name, display name, email address, password hash, phone number, language, role, account status and login/security data
  • profile data, including avatar, address, date of birth, nationality, voluntary profile details, contact details, ratings and trust indicators
  • verification data, including email or phone verification status, verification codes, proofs, review status and information from external verification providers
  • trip data from Couriers, including departure and destination countries or cities, handoff windows, notes, handoff options and trip status
  • request and order data, including Sender and Courier information, item description, weight, dimensions, price, counter offers, fees, payment status, handoff places, handoff windows, cancellation reasons and dispute status
  • communication data, including message content, sender, recipient, timestamps, attachments, system messages, support communication and dispute communication
  • payment and billing data, including payment status, transaction numbers, amount, currency, service fees, payout status, refund status, payment provider and tax-relevant booking information
  • rating, support, complaint and dispute data
  • technical data such as IP address, access time, device, browser, operating system, language settings, referrer URL, accessed pages, log files, session IDs, security events and error logs

4. Purposes of processing

We process personal data in particular for the following purposes:

  • providing the Carryroo platform
  • registration, login and account management
  • email verification and password reset
  • role management for Sender and Courier workspaces
  • publishing, searching and managing trips
  • creating, accepting, rejecting, changing and canceling requests
  • order management and internal user communication
  • payment processing, refunds and payouts through external payment providers
  • support, complaint handling and dispute handling
  • user verification, fraud prevention, abuse prevention and platform security
  • enforcing terms, prohibited-item rules and risk notices
  • ratings, trust mechanisms, quality assurance and product improvement
  • technical security, system stability, legal compliance and legal claims

5. Legal bases for processing

Personal data is processed on the basis of the General Data Protection Regulation (GDPR).

5.1 Contract performance and pre-contractual measures

We process data where this is necessary to perform the platform contract with users or to take pre-contractual steps. The legal basis is Art. 6(1)(b) GDPR.

5.2 Legal obligations

We process data where this is necessary to comply with legal obligations, for example tax, commercial, accounting or official obligations. The legal basis is Art. 6(1)(c) GDPR.

5.3 Legitimate interests

We process data on the basis of legitimate interests where the interests or fundamental rights of data subjects do not override them. This includes secure platform operation, fraud prevention, abuse prevention, dispute handling, rule enforcement, protecting other users, technical error analysis, product improvement, documentation of consent and defense against claims. The legal basis is Art. 6(1)(f) GDPR.

5.4 Consent

Where we request consent, processing is based on that consent. This may include non-essential cookies, analytics or marketing tools, certain notifications, voluntary profile information, voluntary verification data or later identity checks by external providers. The legal basis is Art. 6(1)(a) GDPR.

6. Disclosure of data to other users

For requests and orders, certain data may need to be visible to the other party, for example display name, profile information, ratings, verification status, trip data, request and order data, rough item description, handoff place and time, recipient information where required, platform messages and status information.

Users may use other users' data only for the relevant order. Other use, disclosure to third parties, publication or misuse is prohibited.

7. Payment providers

Payments are processed through external payment providers. The specific provider will be added once it is finalized.

The payment provider processes payment data for payments, refunds, payouts, fraud prevention and its own legal obligations. Carryroo generally does not store complete credit card data or comparable full payment instrument data.

8. Hosting, technical providers and processors

For platform operation, we use technical providers, in particular for hosting, databases, email delivery, SMS or notification services, support systems, security and monitoring services, payment integration, analytics or error diagnosis and verification services where used.

Where providers process personal data on our behalf, we conclude data processing agreements under Art. 28 GDPR. The specific providers will be added once finalized.

9. Transfers to third countries

Personal data may be transferred outside the EU or EEA if providers are located there, use servers there or enable access from there.

In such cases, we ensure appropriate safeguards under the GDPR, such as adequacy decisions, EU standard contractual clauses, additional safeguards and contractual or technical security measures.

10. Cookies and similar technologies

Carryroo may use cookies and similar technologies. Necessary cookies are required for the technical operation of the platform, such as login sessions, language settings, security functions and order processes.

Non-essential cookies, analytics tools, marketing tools or tracking technologies are used only where valid consent exists, if legally required. Details are shown in the cookie banner or cookie settings.

11. Email, SMS and notifications

We may contact users by email, SMS, in-app message or comparable channels where this is necessary for platform use.

  • email verification
  • login and security messages
  • password reset
  • order notifications
  • message notifications
  • payment and status information
  • support and dispute messages
  • important changes to platform rules

Marketing messages are sent only if there is a legal basis or consent.

12. Storage and deletion

We store personal data only for as long as necessary for the relevant purposes. The storage period depends in particular on the duration of the user account, open requests or orders, payment or dispute cases, legal retention duties, evidence interests, security and abuse prevention and limitation periods.

After the relevant periods expire, data is deleted or anonymized unless legal obligations or legitimate interests prevent this.

13. Security

We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure.

  • encrypted transmission
  • password hashing
  • role-based access control
  • access restrictions for admin and support areas
  • logging of security-relevant events
  • time-limited verification and reset tokens
  • technical safeguards against unauthorized access
  • regular review and improvement of security measures

14. Minors

The platform is not directed at children. Use by minors is permitted only if the legal requirements are met and Carryroo expressly allows such use.

Carryroo may require age proof or additional confirmations and may restrict or delete accounts if there are doubts about lawful use.

15. Automated decisions and profiling

Carryroo may use internal risk, trust and security indicators, for example based on verification status, cancellation rate, response time, dispute rate, completed orders or rule violations.

No solely automated decision with legal effect or similarly significant impact takes place unless we separately inform users and meet the legal requirements.

16. Data subject rights

Data subjects have rights under the GDPR, including access, rectification, deletion, restriction of processing, data portability, objection to certain processing, withdrawal of consent and complaint to a data protection supervisory authority.

To exercise these rights, users can contact us at:

  • info@enmindustry.com

17. Right to object

Where we process personal data based on legitimate interests, data subjects may object to processing for reasons relating to their particular situation.

We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds or the processing serves legal claims.

18. Withdrawal of consent

Consent can be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

19. Right to complain to a supervisory authority

Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent authority may be the authority at the data subject's place of residence or at the controller's registered office.

20. Changes to this privacy policy

We may amend this privacy policy if our platform, data processing, providers or legal requirements change. The current version is available on the platform.

Carryroo

Secure handoffs through real trips.

Legal noticePrivacy policyTerms

© 2026 Carryroo. All rights reserved.